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Abstract. We study conditions for a concurrent construction of proof- 
nets in the framework developed by Andreoli in recent papers. We define 
specific correctness criteria for that purpose. We first study closed mod- 
ules (i.e. validity of the execution of a logic program), then extend the 
criterion to open modules (i.e. validity during the execution) distinguish- 
ing criteria for acyclicity and connectability in order to allow incremental 
verification. 



1 Introduction 

In the last few years, Andreoli |2I3I4| investigated a new style of logic program- 
ming aware of resources and aiming at expressing non-determinism, concurrency 
and (possibly) infinite computations. Logic programming facilitates naturally 
non-determinism. The other characteristics are out of scope when logic pro- 
gramming is only used for proving goals (possibly by instantiating first order 
variables). Indeed, proof construction can be goal-directed (and the hypothesis 
is given as a set of special clauses) or hypothesis-directed (and the goal may be 
empty). This latter case can be reduced to the first one by contraposing each 
implication and considering negation of hypotheses as the goal: each resolution 
is then interpreted as a transformation of the environment. Computation ends 
when the current environment is empty. As computations build partial proofs, 
there is no difficulty to take care of (potentially) infinite computations. 

It is now a well-known fact that linear logic, a resource-conscious logic, may 
be used as a programming language after Andreoli's works pp. 1 In the paper just 
cited, he took a standard approach and his presentation was sequential. More 
recently, Andreoli takes care of concurrency by switching to proof-nets as this 
syntax affords a desequentialized presentation of proofs, hence a concurrent way 
to compute them at the expense of a correctness criterion that guarantees to 
recover sequentialization, i.e. validity of proofs. In this paper, we search for a 
generalization of his results in order to have full expressivity. For that purpose, 
we depart from his approach by adopting a graph point of view. Equivalent to 



* Partially supported by ACI NIM project Geometrie du Calcul (GEOCAL), France. 
1 Full first-order linear logic can be used as a programming language. However, we 
restrict in this paper to propositional multiplicative linear logic. 



clauses in standard logic programming, modules, as graph elements, arise natu- 
rally from proof nets. In a few words, associativity, commutativity 2 and focal- 
ization lead to polarize formulae, hence to stratify proofnets. Bipolar structures 
become computational structures as composition of such structures corresponds 
to some kind of progression rule. 

Andreoli set up this desequentialized framework for middleware infrastruc- 
tures. In such applications, software agents must satisfy requests or goals by 
executing concurrently actions on a shared environment. Resources model con- 
crete objects, e.g. documents, or high-level elements, e.g. functionalities. Actions 
transform the environment by deleting resources and creating sets of results ex- 
clusive each other. Andreoli focused on transitory proof-structures, i.e. actions 
always create new resources. Moreover, he imposes prerequisites of actions to 
be satisfied in order to execute them: the proof construction is exclusively done 
bottom-up. As we shall see in sectional these two hypotheses greatly simplify 
the problem of defining formally conditions under which actions may be under- 
taken. On the contrary, we constrain neither the structure of modules, nor the 
application order. It is then possible to define actions that kill resources (e.g. 
close a branch in a plan, or withdraw a functionality or a resource) or to antici- 
pate consequences of resources still to be acquired. Furthermore, we depart from 
Andreoli's approach for defining a correctness criterion. His method is based on 
a computation of domination forests in the spirit of Murawski and Ong's ap- 
proach [J]. We adopt here a completely different strategy. We define reduction 
relations in order to get constraints on execution. 

The following section gives basic definitions. We formally present modules 
from elementary ones, graphically and in terms of formulae. We specify in which 
sense a module is correct, i.e. the computation is allowed. Section is devoted 
to closed modules. A module is closed when computation ends. Although closed 
modules are an extreme special case of modules, the methodology we use intro- 
duces naturally the way we consider open modules. In a first attempt, we re- 
formulate the resolution rule as a rewriting rule on modules, the Danos-Regnier 
criterion being used for characterizing correct normal forms. The Danos-Regnier 
criterion is based on graph properties of proof nets: correct proof structures, i.e. 
proof nets, are in some sense the connected and acyclic ones. We deduce a cor- 
rectness criterion for closed modules as our rewriting rule is stable and inverse 
stable wrt connexity and acyclicity. We define next a modified version of the pre- 
vious rewriting system that takes care of the parallel structure of modules. Open 
modules, i.e. modules without constraints, are studied in section^] We prove that 
the Danos-Regnier criterion may be extended to open modules seeing that we 
replace connexity by connectability. We give two rewriting systems as acyclicity 
and connectability differ fundamentally. These two systems may be viewed as 
variations over the one we give for closed modules. We end with a study on in- 
crementality wrt composition of modules. In terms of computation, elementary 
modules compete to modify some current module (the environment). It is then 
crucial to be able to define rewriting systems that commute with composition. 



2 and distributivity when dealing with the additive part of linear logic. 



We show that we have to restrict previous rewriting systems for that purpose. 
However, the rewriting systems have to be splitted into two parts: one commutes 
with composition, the other is a post-treatment necessary to test correctness of 
composition. 3 

2 Basic definitions 

Elementary bipolar modules are our basic blocks. They are interpreted as el- 
ementary actions that can take place during an execution. In terms of graph, 
applying an action is represented as a wire, i.e. composition, of the correspond- 
ing (elementary) module onto the current graph. In terms of sequent calculus, 
this is a resolution step. 

Definition 1 (EBM). An elementary bipolar module (EBM) M is given by 
a finite set TL{M) of propositional variables (called hypotheses) hi and a non 
empty finite set C{M) varying over k of finite sets of propositional variables 
(called conclusions) cjL Variables are supposed pairwise distinct. 4 " The set of 
propositional variables appearing in M is noted v[M). Equivalently, one can 
define it as an oriented graph with labelled pending links and one positive pole 
under a finite set of negative poles. Its type t(M) and draw are given in the 
following way: 



The set of variables, or equivalently the set of pending links of a module M , is 
called the border b(M). 

This specification of modules comes from the fact that connectives are natu- 
rally split into two sets: e.g. ® is said positive, while ^ is negative. Propositional 
variables are declared positive, and their negation negative. Formulae alternate 
positive and negative levels up to propositional variables. Moreover, it is possible 
to flatten proofnets to get bipolar structures related by links on fresh variables 
as in figure If we notice that a variable and its negation cannot be together 
linked to negative nodes (it would contradict the correctness criterion), we can 
always suppose that, say, positive variables are linked to negative nodes. Finally, 
it may be the case that some bipolar structure (thus beginning with a positive 
node at bottom) has no negative variable: add then the constant 1, neutral for 
CS>. Allowing abusively unary ® and ^ connectives, these (elementary) bipolar 
structures are the clauses of our programming language. 

3 Complements and some technical proofs are available in the annex of the submission 
and will be omitted in the final version but remain in a preprint version. 

4 This restriction is taken for simplicity. The framework can be generalized if we con- 
sider multisets (of hypotheses and conclusions) instead of sets, and add as required 
a renaming mechanism: the results in this paper are still true. 
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Fig. 1. flatten of proof-nets 



We thus conveniently suppose that 2Jjfc Fk = (£) k ffe = F± when the domain 
of k is of cardinal 1. Moreover, if the domain of i is empty, hi)^C = 1—oC 
and if the domain of jk for some k is empty (® Jfc c^, fc ) = _L. 

Example 1. The EBMs a and (3 of respective types i(a) = a— o(6(g>c) and i(/3) = 
b—o(d Ttf (e <S> /)) are drawn in the following way: 
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Three kinds of EBMs are of special interest: An EBM is initial (resp. /inaZ) iff 
its set of hypotheses is empty (resp. its set of conclusions is empty). An EBM is 
transitory iff it is neither initial nor final. Initial EBMs allow to declare available 
resources, though final EBMs stop part of a computation by withdrawing a whole 
set of resources. Transitory EBMs are called definite clauses in standard logic 
programming. 

Roughly speaking, a (bipolar) module (BM) is a set of EBMs such that a 
label appears at most once as a conclusion and at most once as a hypothesis. 
A label appears as a conclusion and as a hypothesis when two EBMs are linked 
by this label. As we search for correctness criteria wrt composition of modules 
(i.e. execution of the program), we give below an inductive definition of bipolar 
modules. 

Definition 2 (BM). A bipolar module (BM) M is defined with hypotheses 
H(M), conclusions C(M), and type t(M), inductively in the following way: 

- An EBM is a BM. 

- Let M be a BM, and N be an EBM, let I = C(M)nH(N), their composition 
wrt the interface I , M oj N is a BM with : 

• the multiset of hypotheses H(M) U (H(N) — I) 

• the multiset of conclusions (C(M) — I) U C(N) 

• the type t(M) ® t(N) 

• the variables v(M) U v(N) 



The informal explanation given before is more general than this definition 
because we define BM incrementally. However, we abusively do not consider these 
differences in the following as properties will be proven in the general case. The 
interface will be omitted when it is clear from the context. Note that the interface 
may be empty: it only means that two computations are undertaken, currently 
without any shared resources. A BM may not correspond to a valid computation: 
e.g. we do not want to accept that some action uses two resources in disjunctive 
situation! Correctness has obviously to be defined wrt the underlying Linear 
Logic as we do below. Finally, note that when a BM is correct, it represents 
the history of the computation whereas its conclusion is the current available 
environment. 

j 
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Example 2. The composition of the EBMs a and /3 is the BM a o{ fc j f3 drawn in 
figure Its type is t(a) <g> t((3). 

Definition 3 (Correctness (wrt sequentialization)). Let M be a BM, M 

is correct iff there exists a formula C built with the connectives ® and 2 ?, and 
the variables C{M) such that the sequent TL(M),t(M) h C is provable in Linear- 
Logic. 

Example 3. Let us give two more BMs 5 and 7 of respective types (/ (g> g)—°j 
and c-o((g (8) h) ^ i). 

— The following sequent is provable in LL: a, t(ao /3ojo5) h d ^ {e®j®h) i. 
The (correct) BM a o f3 o j o 5 is drawn in the figure 

— Let e be an EBM of type (d <g> e)— ok, the BM (3 o e is not correct. Note the 
trip through d and e in the figure El 



As we shall focus first on characterizing correctness on closed modules, and 
then generalize our results to open modules, we adjoin to the term correct the 
kind of modules we speak of, e.g. c-correct when the module is closed, o-correct 
when it is open. 

3 Closed modules 

A closed module is a BM where the sets of hypotheses and conclusions are 
empty. Correctness of closed modules may be tested either in sequent calculus 
or by means of proofnets. We use this latest representation in this section. Gi- 
rard in his seminal paper gave a parallel syntax for multiplicative linear logic 
as oriented graphs called proof-nets. A correctness criterion enables one to dis- 
tinguish sequentializable proof-structures (say such oriented graphs) from "bad" 
structures. The reader may find in j2j the definitions of proof structures and 
switchings. One generalizes this definition to n-ary connectives in the obvious 
way (taking care of associativity and commutativity of ® and 2 ?) in place of 
standard binary ones. One modifies in the same way the definitions of switch- 
ing introducing generalized switches. In particular a n-ary ^ connective has n 
switched positions. One still can define switched proof-structures and a criterion 
generalizing Danos-Regnier correctness criterion: A closed module M is DR- 
correct iff for all generalized switches s on M* , s(M*) is acyclic and connected, 
where M* is the proof structure associated to t(M) 1 -. 5 We immediately have the 
following proposition as a corollary of the DR-criterion theorem: 

Proposition 1 (c-correction). Let M be a closed module, 

M is c-correct iff t(M) h is provable in Linear Logic, 
iff M is DR-correct. 

Remember that the equivalent (binary) Danos correctness criterion may be 
implemented by means of a contraction relation on proof structures. However, 
intermediate reduced structures may not be describable in terms of (bipolar) 
modules. Moreover such a contraction relation does not take advantage of the 
incremental definition of modules as a composition of elementary bipolar mod- 
ules. A first idea consists in representing the resolution step (implicit in EBMs 
composition) in terms of modules. We first give below such a (small step) reduc- 
tion rule that is stable wrt correctness with ^as the correct normal form, where 

denotes the terminal EBM (i.e. smallest final and initial). We give then a sec- 
ond proposal that takes care of the focalization property. Though a resolution 
step reduces one variable, this second formulation uses as a whole the structure 
of a module thanks to focalization. 

Let ^0 be the transitive closure of the following relation defined on literals 
of a proof-structure 0: let u and v be two literals of 0, u v iff u x and v 
are in the same subtree with root (g> of the formula corresponding to 0. We note 

5 We abusively note s(M) in place of s(M*) in the following. 



u ~> v when there is no ambiguity. In the following, we consider proof-structures 
modulo neutrality of the constant 1 and associativity of connective 2 ?. 



Definition 4 (Small step reduction rule). Let — > &e ifte reduction relation 
given by: if Vv a literal of ip, v 7^ ar iften 




Theorem 1 ((small steps) Correctness criterion). Let M be a closed BM, 
M is correct iff M* 1. 

Briefly speaking, one can prove that the relation — ► and the inverse relation 
are stable wrt DR-correctness by induction over the height of ip. One may want 
to get rid of the (global) condition in favor of a local condition. This is possible 
thanks to the structure of modules. Suppose M is a correct closed module, then 
one may define an equivalent proof-net by sufficiently adding fresh variables as 
described in the introduction. It is easy to prove that the constraint is satisfied 
by x or x for each variable x. However, the reduction system being not strongly 
confluent, a reduction on a variable may lead to a proof structure on which the 
condition is not always satisfied. There are two cases where this does not happen: 
either all variables on a tensor have their negation on the same 2 ?, or the converse 
interchanging ^ and ®. The following (big step) reduction relation -» with two 
rewrite rules uses this fact. Note that this system is confluent and terminates. 
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Proposition 2 (Stability). Let M and N be two closed modules and M -» N , 
M is c-correct iff N is c-correct. 

Proof. One can define a function from left switched module onto right switched 
module stable wrt acyclicity, connexity, and the inverse properties. □ 

Theorem 2. A closed module M is c-correct iff M 

Proof. As the reduction rules are stable wrt correctness, it remains to prove 
that a correct non-terminal closed module M can always be reduced. We define 
a partial relation on negative poles: a negative pole is smaller than another one 
if there exists a positive pole st the first negative pole is linked to the bottom of 
the positive pole and the second negative pole is linked to the top of the positive 
pole. We consider the transitive closure of this relation. 

If maximal negative poles do not exist then there exists at least one cycle 
in the module alternating positive and negative poles. We can then define a 
switching function on the module (choosing the correct links for negative poles) 
st the switched module has a cycle. Hence contradiction. 

So let us consider one of the maximal negative pole, and the corresponding 
positive pole. We remark that such a negative pole has no outcoming links (the 
module is closed and the negative pole is maximal) . If the positive pole has other 
negative poles, we can omit the maximal negative pole by neutrality. Otherwise, 
let us study the incoming negative poles. 

If there is no such incoming link, then M is the terminal module. If each 
incoming negative pole has at least one link going to another positive pole, then 
one can define a switching function using for each of these negative poles one 
of the link that does not go to the positive pole we considered first. Hence the 
switched module is not connected (there are no outgoing links). Hence contra- 
diction. So there exists at least one incoming negative pole with the whole set of 
links associated to the positive pole: the first rule applies and we are finished. □ 

4 Open modules 
4.1 O-correction 

We focus in this section on open modules. An open module is a possibly non 
closed BM. The bigstep reduction relation presented in the previous section is 
not sufficient to characterize again correction of open module. Let U be the first 
module of the next example. One cannot apply on U a bigstep reduction on the 
negative pole with variable a as this pole remains in the normal form though U 
seems correct. The c-correctness theorem[2]is no more valid for open modules. 

Correctness of open modules is defined wrt correctness of closed extensions. A 
closure M of an open module M is a closed module such that M is a submodule of 
M. As a BM is a graph with pending edges,jDne defines submodules and induced 
modules as expected. We use the notation M for the module M without M but 
with border b(M). In the following example U is a closure of U st U is the right 



module. The composition of U with a set of only initial/final EBMs is a closure 
too. 




An open module M is o-correct iff there exists a c-correct closure of M. 
The open module U of the example is o-correct because the given closure is 
c-correct. Note that there is no other c-correct closure. Hence it is not possible 
in general to split the problem of finding a closure into finding a completion by 
initial modules and final modules. In the previous section, we defined a rewriting 
system able to test the correctness of a closed module. As this system is stable 
wrt connexity and acyclicity, it is invariant wrt the Danos-Regnier criterion. 
In order to take care of open modules, we extend connexity to connectability 
(acyclicity is treated easily) and prove that connectability and acyclicity are 
necessary and sufficient for o-correctness. However, we are not able to define a 
single rewriting system that commutes with composition. An open module M 
is acyclic if for all generalized switches s on M, s(M) is acyclic. Note that a 
submodule of an acyclic module is obviously acyclic. 

^ An open module M is connectable iff there exists a connected closure M st 
M is acyclic. As a connected closed module is already connectable (just take 
itself as closure), the connectability is an extension of the connexity property. 
We give an equivalent definition: an open module M is connectable iff the closed 
module M o F is connected where F is a full connector EBM for M, i.e. F has 
as hypotheses the set of conclusions of M, is final if M has no hypothesis or has 
a negative pole with one conclusion for j^ach of its hypotheses. In fact if there 
exists a connected closure M then M o M is connected. So a fortiori, M o F is 
connected. The converse comes from the definition. 

Theorem 3 (o-correction). An open module M is o-correct iff M is acyclic 
and connectable. 

Proof. By definition o-correction implies acyclicity and connectability. 
If M is acyclic and there exists a connected closure M st M is acyclic then 
by induction on the number of cycles of M, one can construct an acyclic and 
connected closure of M. 

If there is a cycle a in M then by hypothesis a (~l b(M) ^ 0. Suppose there exists 
a hypothesis of M h e a n b(M), one defines N to be M where we substitute a 



fresh label h! to h. Let N' be the composition of the initial EBM of border {h}, 
the final EBM of border {h'} and N. M o N' has one cycle less than M and is 
a connected closure. 

Otherwise the elements of a n b(M) are conclusions of M. Let c be such a 
conclusion. We consider the following cases: 

- if c in a fl 6(M) is the only conclusion of a negative pole n, then one can do 
the same thing as in the previous case. 

- else let d be a conclusion in a n b(M) distinct from c of n. One renames c 
(resp. d) in M in c' (resp. d!) to get TV. One defines also an EBM D with 
one conclusion d' and two hypotheses c and d, and an initial EBM E with 
conclusion d . Then X = M o D o £ o Af is a connected closure of M and 
D o E o iV is acyclic. Hence X is a connected closure of M o 13 and E o N is 
acyclic. We suppressed the cycle cr. However, it may be the case that there 
were a cycle through d and D doubles it ! For that purpose, we transform M 
to get rid of this extra cycle. Let M' be M where we identify the two edges 
labelled c and d in one labelled d' . Then M 1 0E0N is a connected closure of 
M' and E o N is acyclic. Moreover the number of cycles in M' o Eo N is one 
less than in M. Thus there exists N' acyclic such that M' a N' is c-correct. 
Hence M a D o N' is c-correct. □ 

4.2 Acyclicity and Connectability Criteria 

Acyclicity. An open module M restricted to the subset I of b(M) is the sub- 
graph of M where we omit pending edges not in /. We denote it M[i. Unformally 
an open module M restricted to I is a submodule of border /. The restriction of 
an open module to the empty set is a closed module. Restriction gives naturally 
an equivalent definition of acyclicity for open modules: an open module M is 
acyclic iff the closed module M[$ is acyclic. Hence the proposition given in the 
previous section applies: 



Proof. M |.0 is a closed module and M t@^* Y then by (inverse) stability of 



Note that the converse is not true, otherwise acyclic closed modules would 
be correct! A way to characterize acyclicity by means of a reduction relation is 
to enlarge the reduction (quotienting the set of normal forms) . Splitting the 
negative poles suffices to continue reduction until we get a non-empty set of V: 



closing modules may link disjoint connected components. It is then obvious to 
deduce a necessary and sufficient condition for acyclicity. 

Andreoli considered in 0j only transitory proof-structures. A transitory proof- 
structure is equivalent to a BM without hypothesis 6 such that negative poles have 

6 In fact, there may be hypotheses in built modules but these are unused. 



Proposition 3 (acyclicity). An open module M is acyclic if M[q 




acyclicity M[$ is acyclic. M is then acyclic. 



□ 



always conclusions and obtained by a bottom-up composition of EBMs. As neg- 
ative poles have pending edges, there is always a way to connect it to other parts 
of the module: if a transitory module M is acyclic then M is connectable. Hence 
a transitory module M is o-correct iff M is acyclic. The reduction relation we 
give to test acyclicity can be considered as an alternative to Andreoli's method. 



Connectability : a contraction relation. The proof of the correctness of 
the big step reduction relation for closed modules gives the keys for finding a 
connectability property that relies on the structure of an open module (and not 
on the modules candidate to close it !). Proof of theorem is based on reducing 
first maximal negative poles. In the case of open modules, maximal elements may 
have pending edges that should be connected in the closure. But we notice that 
we keep connectability if we replace the whole set of pending edges for such an 
element by just one pending edge. With this in mind, we consider the following 
(non oriented) contraction relation on (contracted) modules: 




Rule (4) is restricted to cases where the negative pole is such that for all 
i £ /, flj (1 b(M) ^ and a C b(M) where b(M) is the set of pending edges 
of M, i.e. the border set. The sets I and a may be empty. We denote by — >J 
one rewriting step and by ^ c the reflexive and transitive closure of — >), . We call 
contracted node a black node. Note that rule (4) is simply the rewriting of a 
negative pole in a contracted node if the condition is satisfied. Thus acyclicity 
is not preserved but connectability is. 

Proposition 4. The relation —* c is strongly confluent and terminates. 

Proof. The first rule acts just as a mark. We can forget it: it is just for conve- 
nience. Each rule applies locally and strictly decreases the number of negative 
poles and contracted nodes. The rules are disjoint except for a pair of negative 
poles linked by the same contracted node io for which rule (4) can be applied 
(it is a trivial case) , and except for a left member of rule (3) st rule (4) applies 
too: in this case results are identical. □ 



We extend the notions of switching to modules with contracted nodes: con- 
tracted nodes are treated as positive poles. Acyclicity, connexity, closure and 
connectability are extended in the same way. As in section devoted to closed 
modules, our strategy consists in characterizing amongst normal forms of this 



relation the correct ones, and prove stability of, say, connectability. Let M be 
an open module and / the corresponding normal form. By definition if / does 
not contain a negative pole then / is a set of contracted nodes {n>j}j e j st all 
pending egdes are in b(M). We use the notation cc for a set of contracted nodes 
{rij}j e j st for all j <E J nj has at least one edge in the border b(M) except if 
| J |= 1. If / contains a negative pole ./V then, / being a normal form of relation 
— > c , rule (4) does not apply on N. Hence the set / as defined by rule (4) is st 
there exists io £ I, ct io Db(M) = 0. Moreover this contracted node io is linked to 
hypotheses of negative poles {/i;}; 6 l and to conclusions of only negative poles 
{ck}keK st each of them has other conclusions (3k ^ not linked to io (otherwise 
rule (2) applies for such nodes): , „ 



If we suppose the negative pole TV is a maximal one (i.e. H = 0), there is a 
switching (on a or on some i ^ io and on one of each (3k) st / (as closures of /) 
is not connected. Thus / is not connectable. 

Example 4- The following subforms imply not connectability: 



Proposition 5 (stability). Connectability is stable wrt (resp. inverse) contrac- 
tion rules. 

Proof. The three first rules satisfy obviously stability and inverse stability. Let 
M be an open module st M M' by the contraction rule (4) and there 
exists M connected and M acyclic. Obviously M' o M is connected. Concerning 
inverse stability, let M be an open module st M M' by the contraction rule 
(4) and let F be a full connector EBM for M'. Note that b(M') = b(M). The 
connectability of M' implies that M' of is connected. Wrt rule (4), because 
for all i £ /, a, n b(M) ^ and a C b(M), for every switches s, s(M o F) is 
connected too. □ 

By stability and inverse stability of connectability we have: 

Theorem 4. Let M be an open module, M is connectable iff M cc. Hence 
an open module M is o-correct iff M is acyclic and M cc. 
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5 Composition of modules 



In the sequel we discuss an incremental criterion to test the composition of an 
open module with an EBM. Let M be an o-correct open module and E an 
EBM st b(M) n b(E) ^ (otherwise the test is easy). As seen above, acyclicity 
and connectability, hence o-correctness, of M may be decided by computing 
normal forms. Our aim is to decide the o-correction of the composition M o E 
'incrementally' i.e. not directly but o-correctness of M being given. From the 
previous section we have: 



Because of the restriction of M to the empty border, the acyclicity condition 
given above does not commute with composition. It is the same for connectabil- 
ity: even if there is preservation of the border with — > c , a choice is made for the 
completion of M which may be different from the way composition with E is 
done. For example we have: 



In the sequel we show that if we release the restriction operation we can 
incrementally manage acyclicity. The relax of the (implicit) completion in the 
rewriting rules dealing with connectability gives also an incremental (but not so 
convenient) criterion for connectability. 

5.1 Incremental acyclicity 

Note that the restriction to empty set is stable wrt the reduction —» i.e. if M is 
an open module st M ^ x N then M|.0— a- 1 N[$. Hence an incremental test for 
acyclicity follows: 

Proposition 6. Let M be an open module st M -^>* / and E an EBM. M o E 

is acyclic if (/ o E)[$^>* Y . 



Proof. If M —»* f then (M o E) —»* (f o E). Following previous remark, (M o 



5.2 Contraction relation (without completion) 

We consider the rewriting system given to test connectability where rule (4) is 
restricted to the following degenerated case (a = I = and application of rule 



M is o-correct iff M[q>—»* V and M cc 





□ 



(2)): 



A 



We denote by — ^ one rewriting step and by — > w the reflexive and transi- 
tive closure of — >} u . As it is a subsystem of the previous one, the relation — > w 
terminates and is still strongly confluent (there is only trivial independant pairs) . 

We study the normal forms. By definition an open module contracts in a 
normal form composed with only contracted nodes or contracted modules where 
each negative pole N is of the following form: 

hi G Hi - I is a (possibly empty) set of con- 

'"""^ tracted nodes, 

- each i G I is linked to a set d of 
other negative poles by conclusions 
and to a set Hi of other negative 
poles by hypothesis (the sets Ci and 
Hi may be empty) . Moreover for all 
c 2 G Ci A ^ 0, 

- a and on are (possibly empty) sub- 




TV Ci G Ci sets of b(M) for all i G I. 

We focus on the two possible forms of negative pole: 

- there exists ig G / st a>i = Hi g = 0. We denote such forms by notcc. 

- for all i G I, at ^ or Hi ^ 0. These negative poles may be considered in 
the previous system — > c . 

If a normal form has no negative poles then it is a set of contracted nodes. 
We add to the notcc forms the case where there is at least one contracted node 
without pending edges and other nodes. 

In order to compare these normal forms with the normal forms of — > c observe 
that: (i) by definition of normal forms, if I — then a ^ 0, and if I ^ then 
| I |^ 2 or a ^ 0, (ii) for alH G I for all Cj G Ci we have f3i ^ 0. It follows that if 
a normal form g wrt — > w of an open module M contains a notcc subform then 
there is a generalized switch st g is not connected. The stability of connexity wrt 
— - > w being given, M is not connected (neither its closures), thus not connectable. 

Remark that the notcc forms are already in the previous system: they are 
normal forms which are not the cc forms! In fact the notcc subforms are invari- 
ant wrt the previous system — > c . Moreover as inverse stability of connectability 
is easily proven, we have: 

Theorem 5. Let M be an open module, M is connectable iff M —> w g st 
notcc g. 

Proof. Let M be st M — > w g. If notcc G g then g is not connected (neither 
its closures) and by stability of connexity M is not connectable. Conversely, if 
notcc g" g then g cc by invariance of notcc wrt — > c . By theorem QJ g is 



connectable. The result is obtained by inverse stability of connectability wrt —* w . 

a 

Hence, an open module M is o-correct iff M is acyclic and M ^ w g st 
notcc $ g. By confluence property and theorem we have an incremental test: 
Let M be a connectable open module st M — > w g and E an EBM st b(M)f~\b(E) ^ 

0. We have: 

M o E is connectable iff / o E — > w g st notcc g. 
5.3 A test for composition 

Testing the composition of an EBM Bona correct module M may be done in the 
following way. We associate to such a module M a pair (/, g) such that M f 
and M — > w g. We compute the pair (/', g') associated to MoE: foE f and 
g o E —> w g' . Then E may be plugged onto M, i.e. the composition is correct, 
iff /'|.0— »* J and notcc ^ </. This test may be implemented in such a way that 

pre-computations are done in M in order to optimize the test. Moreover this 
pre-computation allows for a concurrent treatment for testing composition by 
only locking a reduced part of the module M. 

6 Conclusion 

Concurrent construction of proof-nets allows for a new approach in designing 
concurrent logic programming languages. In the framework developed by An- 
dreoli in recent papers, we first presented a criterion for testing the correctness 
of closed modules (i.e. validity of the execution of a logic program), then we 
extended the criterion to open modules after proving that correctness of open 
modules reduces to testing acyclicity and connectability. Furthermore, criteria 
for acyclicity and connectability lead naturally to incremental verification. 
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7 Annex 



7.1 Proofnets 

Girard in his seminal paper gave a parallel syntax for multiplicative linear 
logic as oriented graphs called proof-nets. A correctness criterion enables one 
to distinguish sequentializable proof-structures (say such oriented graphs) from 
"bad" structures. 

Definition 5 (Proof structure). A proof structure is a graph whose vertices 
are labelled with formulae and built from the following links (i.e. graphs): 



— Axiom-link (two conclusions, no premise) 

— Cut-link (two premises, no conclusion) 



— <B>-link (two premises, one conclusion) 

— Tfi-link (two premises, one conclusion) 

— 1-Unk (no premise, one conclusion) 

and every occurrence of a formula is a premise of at most one link and is a 
conclusion of exactly one link. 

For every link I, a set S(l) of graphs called Switching positions is given. 
S(l) = {1} except when I is a ^-link. S{^-link) is defined by the two following 
switches: A B A B 

^l: \ ^r: / 

A^ B A^ B 

A switching s of a proof- structure is a function which associates a switching 

position s{l) 6 S{1) to every link I of 0. The switched proof-structure s(0) is 

the graph with vertices the formulae labelling 0, and edges the ones given by the 

switching function s. 

A Danos-Regnier proof-net is a proof- structure st each switched proof- structure 

is a tree, i.e. a connected and acyclic graph. 

We recall: 

Theorem 6. A proof structure is a Danos-Regnier proof net with conclusions 
r iff there exists a proof tt of the sequent h r in multiplicative linear logic. 
Furthermore, one may define a correspondence between proofs and proof-nets. 

7.2 Sequent calculus style / Reduction by small steps 

Let be the transitive closure of the following relation defined on literals of 
a formula C: let u and v be two literals of C, u v iff 3G, H st C is of the 
form C[G[tt x ] ^ We note v when there is no ambiguity. 



A 



A 1 

A B ^ 



A 



A®B 



A B 



A^ B 



Definition 6 (Small step reduction rule). Let — > foe the reduction relation 
given by: 

ifMv e fv(4>[.]),v/*c x. 

Theorem 7 (Stability). Let x and x ± appear only once in C, if C[(f>[x] ® 
■(/'[a;- 1 ]] h is provable and the reduction rule applies, then C[<j>[ip[A-]]] h is provable. 

Proof. The proof consists in five main steps. In a first part we sketch the steps 
and give clues for the simplest ones. In a second part, we detail the more complex 
second step. 

— The five steps: 

1. a proof 7r of C[0[x] (g> V'[ a; " L ]] ^ exists then tt is of the form: 

S,<f>[x]M^] h 

i (!) 

CWx]®^! 1 ]] h 

where it' is the subproof of 7r with conclusion 5, </>[x], ^[x^] h, where <S 
is a multiset of formulae. The proof is done by recurrence (note that the 
language is only multiplicative). 

2. a proof n' of S, </>[x], ^{x^} h exists then there exists 7r", proof of 5, </i>[x], ^[x 
of the form: 

T, x, ?/;[x ] h 

; (2) 

we delay the proof of this step below. 

3. a proof p of T, x, ip[x ] h exists then a proof f of T, V'l-L] l~ exists: the 
variable x appears only once in the proof p, then this proof is of the form 
(the language is only multiplicative): 



x, x 1 - h 
T,x, ^[x^] h 

Hence, by recurrence one may build a proof v of the form: 

... TP 



T,V>U]r- 



4. a proof v of T,ip[L] h exists, then a proof of S, </>[V>[-L]] \~ exists: one 
completes the proof v with the inference steps used in (2) (this may be 
proved by recurrence on the number of inference steps) . 

5. a proof of S, <j>[ip[A-]) h exists then a proof of C[(/>[^[-L]]] h exists: as the 
step before, inference steps in (1) may now be applied to get the result. 

- proof of the second step: briefly speaking, we transform the proof it' by 
commuting rules with subformulae of ip\\ or S as principal formula with rules 
with </>\\ as principal formula in order to decompose (/>[] before (reading 
the proof bottom-up). The constraint makes it possible. The demonstration 
is done by induction on the height of the proof and in three steps: 

1. We mark formulae in the proof n' in the following way: 

• we mark A each formula A that is a subformula of a formula con- 
taining a literal w st w £ or 3v e ip[],v^ w. 

• we mark A each formula A that is a subformula of a formula contain- 
ing a literal w st w <E 4>[] or w ~> x. Note that ip[] cannot be marked 
with 7 because of the constraint. Suppose that a formula A has two 
marks then it must be of the form A\ ® A 2 and A\ and A2 have no 
other marks because of the constraint. Because ®l is asynchronous 
we can decompose first such a formula (that is different from ip\\ as 
we noted above) . Hence we consider for the following that a formula 
is not marked simultaneously 7 and 7. 

• we mark A a formula unmarked by the two previous rules. 

2. We prove now a one step inversion property (remember we "read" the 
proof bottom-up): 

• if 7r' contains a rule on a formula marked 7 followed by a rule <S>l 
on a formula marked 7 or '., one may commute the two inferences: 
<E>l is asynchronous and the marks being different, the formulae are 
distinct. 

• if tt' contains a rule ^ona formula marked 7 followed by a rule ^ l 
on a formula marked 7 or '., one may commute the two inferences: use 
either the associativity of if the inferences are done on the same 
formula or the fact that contexts are splitted independently. 

• if n' contains a rule ®l on a formula marked 7 followed by a rule ^ l 
on a formula marked 7, one may commute the two inferences: there 
are really two cases, 

a,B l7 &,C u Pi h b,B 2 J,C 2 ,D 2 h 
a,6,Bi,5 2 ,^f/3,Ci,g 2 ,Di,l) 2 h ^ 



Bi.q.Ci.Dil- a~b,B 2l ~P,C 2 ,D 2 V- 
~a®b, Bi,B 2 , aTfp, C-l,C 2 ,D u D 2 h 



But one of two premises does not contain formulae marked 7 (the 
one without x and x- 1 ), hence the first one is not allowed. Then the 
commutation property follows. 
• other cases are treated easily. 
3. we end with a classical induction on the height of the proof to show 
that decomposition of 7-formulae may be done before decomposition of 
7- formulae. □ 

Theorem 8 (Inverse Stability). If C[0[-0[-L]]] l~ is provable, then C[4>[x] <S> 
^[x- 1 ]] h is provable. 

Proof. If C[(/>[^[_L]]] h is provable then there exists a proof of the following form 
(where S and T are multisets of formulae) : 

IT 

T,4_L}}\- 

s,m±]]\- 

CMvU]]] i- 

As x, x 1 - h is provable, one may prove by induction on the height of the proof 
(applying the previous inference steps) that there exists a proof of the following 
form: 

x, x 1 - h 
T,ip[x^],x h 

sm* 1 -], fa] t 

S,^^} ®<l>[x\ h 
C[<f>[x] ^^[x^}} h 

□ 

Theorem 9 ((small steps) Correctness criterion). Let M be a closed mod- 
ule, M is c-correct iff t(M) L, where — >* is the transitive closure of 
quotiented by the neutrality of _L wrt 2 ?. 

Proof. The proof relies on stability and inverse stability. Let M be a closed 
module. 

- _L is the type of a c-correct module, hence by inverse stability, if t(M) reduces 
to _L, M is c-correct. 

— Suppose M is c-correct. The proof is done by induction on the number of 
variables appearing in M. 



If t(M) does not contain variables, t(M) is of the form _L, _L ^ F or _L<8>F 
where F is built with _L, ^ and <g>. The last case is not provable hence 
contradicting the fact that M is c-correct. The second case is equivalent 
to F (neutrality of _L wrt F) . We conclude by induction on the number 
of symbols appearing in t(M). 

If t(M) contains variables. Remember that t(M) is of the form ®(2fo hf- 2? 
2y fe &>j k c "k)- As t(M) h is provable, there exists a polarized proof where 
each step is a complete decomposition of a formula corresponding to 
an elementary module (one of the elements of the tensor). Let us now 
consider one of the last (when we read the proof bottom-up) polarized 
decomposition, it has the following form: 



... xi,xj- h ... 
...,xi,...,7$ l xt\- 

Remark that the remainder of the proof does not contain with 7$i xj- 
as one premise an application of (i) a <S> except for the last step because 
M is a composition of elementary modules, (ii) a 2? because the proof 
is polarized. If t(M) h is obtained by application of a tensor rule, then 
the reduction rule applies considering whatever literal x\. Otherwise, the 
previous proof follows with a polarized step (g> then 2J : 



xux^V- 



, xi , . . . , 2$i x t h 



{J}U {/} = {/} 



••••// ®, •' •/ 2ft xj 1 - 2? 75,', • x{ ± , ' ' ' h 

t(M) h 

Then t(M) is of the form C[^[<^ j xj] ® ( 2^- .t^ ^ 2^-, xj' ^)] for each Z. 
The reduction criterion is satisfied for each xj hence the reduction rule 
applies. Finally, we note that the formula we get after reduction (and 
possibly using the neutrality of _L wrt 2?) is the type of the composition 
of elementary modules. □ 



7.3 (standard) Proof-net style / Small steps 

The correctness of (closed) modules may be tested by means of a contraction 
criterion. In this subsection, we consider that modules are represented as proof 
structures and we use extensively the Danos-Regnier criterion to test that a 
proof-structure is correct. Let be the transitive closure of the following re- 
lation defined on literals of a proof-structure 0: let u and v be two literals of 0, 
u ^0 v iff u 1 - and v are in the same subtree with root <8> of the formula corre- 
sponding to 0. We note u ~> v when there is no ambiguity. In the following, we 
consider proof-structures modulo neutrality of the constant 1 and associativity 
of connective 



Definition 7 (Small step reduction rule). Let — > be the reduction relation 
given by: 




when Vw a literal of ' ip, v *p> x 



Theorem 10 (Stability). Let be a proof- structure, if is DR-correct and 
0^0' then 0' is DR-correct. 



Proof. Let be a proof-net satisfying the criterion of the theorem, let x be 
the variable involved in the reduction rule and <j> and ip as given by the rule. 
We have to prove acyclicity and connexity of 0' . We prove connexity of 0' by 
contradiction. Suppose there exists a switching function s'Q for 0' and u in 
<f> and v in ip are not connected. We consider the switching function sQ in 
extending s'Q with a link for the connective ^ (use ^l)- As is DR-correct, 
u and v are linked in s(0). x must be in the path, otherwise the path remains 
in s'(0') and u and v are linked. So there is a path u . . . x x . . . v, hence there 
is a path in s'{0') from u to point 2 (the previous path cannot go twice by x 
otherwise there is a cycle). Finally, because we choose the link ^l, in s(0) either 
the path from v to the root of tp does not pass through x and there is a path 
in s'{0') from the point 2 to v (and u and v are linked), or there exists w in 
tp and a path r$ . . . ww ' ...it . . . x . In this latter case, w ~> x 1 - and there is a 
contradiction. 

The demonstration of acyclicity is done by induction on the height of ip. We 
first prove commutation properties: 



— suppose the principal connective of <f> is a 2 ?, then is of the left form 
below. 2? being associative, is correct iff the right proof-structure LI below 
is correct. 




Let us suppose that there exists a cycle in 77 in one of the switched proof- 
structures, say s(II). Remark that the switched proof-structures issued from 
the sub-structures a, (3 and 7 of II are acyclic as this is true by hypothesis. 
We prove the result by studying cases wrt the switch chosen for 



• if there is a cycle, this one goes through at least one of the two nodes 
labelled ® and 2 ?. Otherwise, this cycle is also a cycle in 0. 



suppose s( 2 ?) = 7 $r: 



* if there exists a cycle 7r going through the node labelled ^ but not 
through f3, then 3v literal of 7 and w literal of a st ir is of the 
form w . . . r a ® ^ r 7 . . . v . . . w. Hence, there exist switched proof- 
structures for with path r 7 . . . v . . . w . . . r a that do not go through 
^ and ®. Amongst these, one can choose at least one switched proof- 
structure with the path v . . . w . . . r a <S> rpx . Hence, v is a literal of 
tp and v~~> x^. Contradiction. 




* if there exists a cycle 7r going through the node labelled ^ and 
through (3, then either this cycle goes through x or not: 

• if 7r goes through x then there exists » 6 ftu / x 1 - and s(7T) 
looks like the right figure. Hence one may choose a switch for 
that defines a cycle as in the left one. 




if 7r does not go through x then there exist v and w distinct 
from x in (3 and u ^ x in 7 st the cycle looks like the figure in 
the right. We define a path linking u to x 1 - in a switched proof- 
structure of depending on the main connective of the formula 
labelling the node joining v and x L . If this connective is ® then 
one may define a switch joining u and x^ via v, hence u x . 
If the connective is a 2 ?, one may define a switch joining also u 
and x 1 - as in the figure on the left. 




* if there exists a cycle w not going through the node labelled 2 ?, then 
this is also a cycle wrt a switched proof-structure of 0. 



• suppose s( 2 ?) =2 ?i. From a switch for 77 including a cycle that goes 
through 2?, one may define a switch for including a cycle that goes 
through ®, hence contradiction with acyclicity of 0. 
- Finally, let us suppose that (j> contains only one node labelled x 1 - , the fol- 
lowing reduction is stable under correctness: 



Theorem 11 (Inverse Stability). Let be a proof- structure, if —> 0' and 
0' is DR-correct then is DR-correct. 

Proof. Let and 0' be as in the theorem. Suppose there exists s() and s(0) is 
not connected. Let u and v be variables not connected in s{0). We can suppose 
that u £ 4> an d v £ ip: in other cases, either connexity remains as graph is 
unchanged or the cases reduce to the one we consider. Define s'Q as s() without 
the switch for the ^ (bottom of the figure for 0). s'Q is a switching function for 
0' . As 0' is DR-correct, u and v are connected in s'(0'). Either the path from 
v to u goes through point 2 or not. If it does not go through point 2, it goes 
through point 1 and exits ip by a variable w. Then w £ ip and w ~» x 1 - (principal 
connectives must be £g> otherwise the path in s'(0') is not valid). Contradiction. 
It it goes through point 2: there is a path in s'(0') from u to point 2, then in 
s(0) there is a link from u to x ± , there is a path in s'(0') from v to 1 (point 3) 
because 0' is DR-correct, then in s(0) there is a link from v to x. Hence u and 
v are connected. 

Suppose there exists s() and there is a cycle in s(0). Let s'Q be s() without 
the switch for the ^ (bottom of the figure for 6*) . Either the cycle goes through 
x or not. If it does not go through x, either the switch for ^ is a or a ^r. 
If it is a ^l, then one has immediately a cycle in s'(0'). If it is a ^r and does 
not go through <f>, one has still a cycle in s'{0'). Otherwise one can modify s() 
st one keeps the cycle and there is a direct path from the root of 4> to one of the 
variables of <fi in the cycle. In this case there is a cycle choosing ^ l that does not 
go through x and we are done. Finally, if it goes through x, suppose first that 
it does not go through ^, there must exist ii/i 1 exiting <fi and v ^ x exiting 
tp in the cycle. There is a path from u to v that does not go through <j> and tp, 
and a path from u to point 2 that does not go through x. Hence it is possible 
to define a switching function st there is a cycle in 0' . If it goes through ^r 
then there must exist a variable u in <j> where the cycle exits <j> to go to point 1 
without going through <fi, hence the cycle in 0' is obvious. If it goes through ^l, 




1 



1 



□ 



it goes from point 2 to point 1 and from point 1 to ip entering at a variable, say 
v without going through <j>. We can define a switching function for 0' st there is 
a cycle. □ 



Theorem 12 ((small steps) Correctness criterion). Let M be a closed BM, 
M is correct iff M* -»•* 1. 

Proof. - Obviously the proof-structure 1 is DR-correct. Furthermore there is 
no other DR-correct proof-structures without variables modulo neutrality of 
1 wrt <g>. 

— Suppose M* is DR-correct, has still variables and is not reducible. For each 
variable v, the pattern of the left hand side of the rule is satisfied (otherwise 
it is easy to define a switch that gives a cycle) , hence the condition on ~» is 
not satisfied: there exists a variable v' blocking v, i.e. v' ~» v 1 - . Let v be a 
variable. From the previous remark and the fact that the number of variables 
is finite, one can define a circular list of variables vq, . . . , v n st Vi blocks Vi+i 
(i modulo n). One may then define a cycle on the proof-structure that does 
not intersect with ® as minimal connectives. Then we can define a switching 
function st there is a cycle in the switched structure. Contradiction. 

— the rewriting rule is stable wrt DR-correctness and reducibility must occur 
until there is no variable then if M is correct then M* — 1 . 

— the rewriting rule is stable wrt the inverse rewriting rule, then if M* — >* 1 
then M is correct. □ 



7.4 Open modules: properties of the contraction relation without 
completion 

Proposition 7 (stability). Let M be an open module st M —* w M' . The fol- 
lowing properties are stable wrt contraction rules: 

1. border set, i.e. b(M') = b{M), 

2. acyclicity, 

3. connexity, 

4- connectablility, 

5. c-correction, 

6. o-correction. 

Proof. By the trivial cases of 1., 2. and 3. we have the stability of c-correction. 
Regarding stability of connectability, remark that if M is connectable by M then 
from 1. and 3. M' is connectable by M o M'. By the way o-correction is stable 
wrt contraction rules. □ 

Proposition 8 (inverse stability). Let M be an open module st M M'. 
The properties of the proposition^ are stable wrt inverse contraction rules. 



The proof uses the same arguments. 



